Package org.certificateservices.messages.saml2.protocol

Class SAMLProtocolMessageParser

  • public class SAMLProtocolMessageParser
extends BaseSAMLMessageParser
    MessageParser for generating generate SAML 2.0 Protocol messages. This should be used when generating messages such as AuthNRequest and SAMLP Responses that is not connected to CSMessages.

    For CSMessage related assertions use AssertionPayloadParser.

    Created by philip on 02/01/17.

    • Constructor Detail

      • SAMLProtocolMessageParser

        public SAMLProtocolMessageParser()

    • Method Detail

      • getDefaultSchemaLocations

        public java.lang.String[] getDefaultSchemaLocations()
                                             throws org.xml.sax.SAXException
        Specified by:
        getDefaultSchemaLocations in class BaseSAMLMessageParser
        Returns:
        an array of schema locations used by the parser. The string value should point to resources available using getResourceAsStream()
        Throws:
        org.xml.sax.SAXException

      • lookupSchemaForElement

        protected java.lang.String lookupSchemaForElement​(java.lang.String type,
                                                  java.lang.String namespaceURI,
                                                  java.lang.String publicId,
                                                  java.lang.String systemId,
                                                  java.lang.String baseURI)
        Description copied from class: BaseSAMLMessageParser
        Method to find Schema for a specific element related to the custom schema locations. The implementation only need to find it's related XSD, the basic datatypes and XML itself are not needed.
        Specified by:
        lookupSchemaForElement in class BaseSAMLMessageParser
        Parameters:
        type - The type of the resource being resolved. For XML [XML 1.0] resources (i.e. entities), applications must use the value "http://www.w3.org/TR/REC-xml". For XML Schema [XML Schema Part 1], applications must use the value "http://www.w3.org/2001/XMLSchema". Other types of resources are outside the scope of this specification and therefore should recommend an absolute URI in order to use this method.
        namespaceURI - The namespace of the resource being resolved, e.g. the target namespace of the XML Schema [XML Schema Part 1] when resolving XML Schema resources.
        publicId - The public identifier of the external entity being referenced, or null if no public identifier was supplied or if the resource is not an entity.
        systemId - The system identifier, a URI reference [IETF RFC 2396], of the external resource being referenced, or null if no system identifier was supplied.
        baseURI - The absolute base URI of the resource being parsed, or null if there is no base URI.
        Returns:
        the resource as stream path to related schema XSD, or null if no matching found.

      • genAuthNRequest

        public byte[] genAuthNRequest​(ContextMessageSecurityProvider.Context context,
                              java.lang.String id,
                              java.lang.Boolean forceAuthn,
                              java.lang.Boolean isPassive,
                              java.lang.String protocolBinding,
                              java.lang.Integer assertionConsumerServiceIndex,
                              java.lang.String assertionConsumerServiceURL,
                              java.lang.Integer attributeConsumingServiceIndex,
                              java.lang.String providerName,
                              java.lang.String destination,
                              java.lang.String consent,
                              NameIDType issuer,
                              ExtensionsType extensions,
                              SubjectType subject,
                              NameIDPolicyType nameIdPolicy,
                              ConditionsType conditions,
                              RequestedAuthnContextType requestedAuthnContext,
                              ScopingType scoping,
                              boolean signRequest)
                       throws MessageProcessingException,
                              MessageContentException
        Method to generate a complex AuthNRequest Message.

        To request that an identity provider issue an assertion with an authentication statement, a presenter authenticates to that identity provider (or relies on an existing security context) and sends it an message that describes the properties that the resulting assertion needs to have to satisfy its purpose. Among these properties may be information that relates to the content of the assertion and/or information that relates to how the resulting message should be delivered to the requester. The process of authentication of the presenter may take place before, during, or after the initial delivery of the message.

        The requester might not be the same as the presenter of the request if, for example, the requester is a relying party that intends to use the resulting assertion to authenticate or authorize the requested subject so that the relying party can decide whether to provide a service.

        The message SHOULD be signed or otherwise authenticated and integrity protected by the protocol binding used to deliver the message.

        Parameters:
        context - message security related context. Use null if no signature should be used.
        id - the id to set in the AuthNRequest
        forceAuthn - A Boolean value. If "true", the identity provider MUST authenticate the presenter directly rather than rely on a previous security context. If a value is not provided, the default is "false". However, if both ForceAuthn and IsPassive are "true", the identity provider MUST NOT freshly authenticate the presenter unless the constraints of IsPassive can be met. (Optional, use null of it shouldn't be set)
        isPassive - A Boolean value. If "true", the identity provider and the user agent itself MUST NOT visibly take control of the user interface from the requester and interact with the presenter in a noticeable fashion. If a value is not provided, the default is "false". (Optional, use null of it shouldn't be set)
        protocolBinding - A URI reference that identifies a SAML protocol binding to be used when returning the message. See [SAMLBind] for more information about protocol bindings and URI references defined for them. This attribute is mutually exclusive with the AssertionConsumerServiceIndex attribute and is typically accompanied by the AssertionConsumerServiceURL attribute. (Optional, use null of it shouldn't be set)
        assertionConsumerServiceIndex - Indirectly identifies the location to which the message should be returned to the requester. It applies only to profiles in which the requester is different from the presenter, such as the Web Browser SSO profile in [SAMLProf]. The identity provider MUST have a trusted means to map the index value in the attribute to a location associated with the requester. [SAMLMeta] provides one possible mechanism. If omitted, then the identity provider MUST return the message to the default location associated with the requester for the profile of use. If the index specified is invalid, then the identity provider MAY return an error or it MAY use the default location. This attribute is mutually exclusive with the AssertionConsumerServiceURL and ProtocolBinding attributes. (Optional, use null of it shouldn't be set)
        assertionConsumerServiceURL - Specifies by value the location to which the message MUST be returned to the requester. The responder MUST ensure by some means that the value specified is in fact associated with the requester. [SAMLMeta] provides one possible mechanism; signing the enclosing message is another. This attribute is mutually exclusive with the AssertionConsumerServiceIndex attribute and is typically accompanied by the ProtocolBinding attribute. (Optional, use null of it shouldn't be set)
        attributeConsumingServiceIndex - Indirectly identifies information associated with the requester describing the SAML attributes the requester desires or requires to be supplied by the identity provider in the message. The identity provider MUST have a trusted means to map the index value in the attribute to information associated with the requester. [SAMLMeta] provides one possible mechanism. The identity provider MAY use this information to populate one or more elements in the assertion(s) it returns. (Optional, use null of it shouldn't be set)
        providerName - Specifies the human-readable name of the requester for use by the presenter's user agent or the identity provider.
        destination - A URI reference indicating the address to which this request has been sent. This is useful to prevent malicious forwarding of requests to unintended recipients, a protection that is required by some protocol bindings. If it is present, the actual recipient MUST check that the URI reference identifies the location at which the message was received. If it does not, the request MUST be discarded. Some protocol bindings may require the use of this attribute (see [SAMLBind]). (Optional, use null of it shouldn't be set)
        consent - Indicates whether or not (and under what conditions) consent has been obtained from a principal in the sending of this request. See Section 8.4 for some URI references that MAY be used as the value. of the Consent attribute and their associated descriptions. If no Consent value is provided, the identifier urn:oasis:names:tc:SAML:2.0:consent:unspecified (see Section 8.4.1) is in effect. (Optional, use null of it shouldn't be set)
        issuer - Identifies the entity that generated the request message. (For more information on this element, see Section 2.2.5.) (Optional, use null of it shouldn't be set)
        extensions - This extension point contains optional protocol message extension elements that are agreed on between the communicating parties. No extension schema is required in order to make use of this extension point, and even if one is provided, the lax validation setting does not impose a requirement for the extension to be valid. SAML extension elements MUST be namespace-qualified in a non- SAML-defined namespace. (Optional, use null of it shouldn't be set)
        subject - Specifies the requested subject of the resulting assertion(s). This may include one or more elements to indicate how and/or by whom the resulting assertions can be confirmed. For more information on this element, see Section 2.4. If entirely omitted or if no identifier is included, the presenter of the message is presumed to be the requested subject. If no elements are included, then the presenter is presumed to be the only attesting entity required and the method is implied by the profile of use and/or the policies of the identity provider. (Optional, use null of it shouldn't be set)
        nameIdPolicy - Specifies constraints on the name identifier to be used to represent the requested subject. If omitted, then any type of identifier supported by the identity provider for the requested subject can be used, constrained by any relevant deployment-specific policies, with respect to privacy, for example. (Optional, use null of it shouldn't be set)
        conditions - Specifies the SAML conditions the requester expects to limit the validity and/or use of the resulting assertion(s). The responder MAY modify or supplement this set as it deems necessary. The information in this element is used as input to the process of constructing the assertion, rather than as conditions on the use of the request itself. (For more information on this element, see Section 2.5.) (Optional, use null of it shouldn't be set)
        requestedAuthnContext - Specifies the requirements, if any, that the requester places on the authentication context that applies to the responding provider's authentication of the presenter. See Section 3.3.2.2.1 for processing rules regarding this element. (Optional, use null of it shouldn't be set)
        scoping - Specifies a set of identity providers trusted by the requester to authenticate the presenter, as well as limitations and context related to proxying of the message to subsequent identity providers by the responder. (Optional, use null of it shouldn't be set)
        signRequest - true if the request should be signed.
        Returns:
        a utf-8 encoded AuthNRequest message.
        Throws:
        MessageProcessingException - if internal problem occurred generating the message.
        MessageContentException - if invalid message format was detected.

      • genResponse

        public byte[] genResponse​(ContextMessageSecurityProvider.Context context,
                          java.lang.String inResponseTo,
                          NameIDType issuer,
                          java.lang.String destination,
                          java.lang.String consent,
                          ExtensionsType extensions,
                          ResponseStatusCodes statusCode,
                          java.lang.String statusMessage,
                          StatusDetailType statusDetail,
                          java.util.List<javax.xml.bind.JAXBElement<?>> assertions,
                          boolean signAssertions,
                          boolean signSAMLPResponse)
                   throws MessageContentException,
                          MessageProcessingException
        Method to generate a generic SAMLP Response message.
        Parameters:
        context - message security related context. Use null if no signature should be used.
        inResponseTo - the ID of the request, null if message was unreadable
        issuer - Identifies the entity that generated the response message. (Optional, null for no issuer)
        destination - A URI reference indicating the address to which this response has been sent. This is useful to prevent malicious forwarding of responses to unintended recipients, a protection that is required by some protocol bindings. If it is present, the actual recipient MUST check that the URI reference identifies the location at which the message was received. If it does not, the response MUST be discarded. Some protocol bindings may require the use of this attribute. (Optional, null for no destination)
        consent - Indicates whether or not (and under what conditions) consent has been obtained from a principal in the sending of this response. See Section 8.4 for some URI references that MAY be used as the value of the Consent attribute and their associated descriptions. If no Consent value is provided, the identifier urn:oasis:names:tc:SAML:2.0:consent:unspecified (see Section 8.4.1) is in effect.
        extensions - This extension point contains optional protocol message extension elements that are agreed on between the communicating parties. . No extension schema is required in order to make use of this extension point, and even if one is provided, the lax validation setting does not impose a requirement for the extension to be valid. SAML extension elements MUST be namespace-qualified in a non-SAML-defined namespace. (Optional, null for no extensions)
        statusCode - the failure code to respond to (Required)
        statusDetail - a container for generic status XML.
        statusMessage - a descriptive message, may be null.
        assertions - a list of Assertions or EncryptedAssertions (Important, the type must be a JAXBElement not only the AssertionType or EncryptedElementType, (Optional)
        signAssertions - sign all included assetions.
        signSAMLPResponse - if the response should be signed.
        Returns:
        a SAMLP failure message.
        Throws:
        MessageContentException - if parameters where invalid.
        MessageProcessingException - if internal problems occurred generated the message.

      • populateRequestAbstractType

        protected void populateRequestAbstractType​(RequestAbstractType requestAbstractType,
                                           java.lang.String id,
                                           java.lang.String destination,
                                           java.lang.String consent,
                                           NameIDType issuer,
                                           ExtensionsType extensions)
                                    throws MessageProcessingException,
                                           MessageContentException
        Help method to populate all base fields of a RequestAbstractType
        Parameters:
        id - the request id to set in the request.
        destination - A URI reference indicating the address to which this request has been sent. This is useful to prevent malicious forwarding of requests to unintended recipients, a protection that is required by some protocol bindings. If it is present, the actual recipient MUST check that the URI reference identifies the location at which the message was received. If it does not, the request MUST be discarded. Some protocol bindings may require the use of this attribute (see [SAMLBind]). (Optional, use null of it shouldn't be set)
        consent - Indicates whether or not (and under what conditions) consent has been obtained from a principal in the sending of this request. See Section 8.4 for some URI references that MAY be used as the value. of the Consent attribute and their associated descriptions. If no Consent value is provided, the identifier urn:oasis:names:tc:SAML:2.0:consent:unspecified (see Section 8.4.1) is in effect. (Optional, use null of it shouldn't be set)
        issuer - Identifies the entity that generated the request message. (For more information on this element, see Section 2.2.5.) (Optional, use null of it shouldn't be set)
        extensions - This extension point contains optional protocol message extension elements that are agreed on between the communicating parties. No extension schema is required in order to make use of this extension point, and even if one is provided, the lax validation setting does not impose a requirement for the extension to be valid. SAML extension elements MUST be namespace-qualified in a non- SAML-defined namespace. (Optional, use null of it shouldn't be set)
        Throws:
        MessageProcessingException - if internal problem occurred generating the message.
        MessageContentException - if invalid message format was detected.

      • populateRequestAbstractType

        protected void populateRequestAbstractType​(RequestAbstractType requestAbstractType,
                                           java.lang.String destination,
                                           java.lang.String consent,
                                           NameIDType issuer,
                                           ExtensionsType extensions)
                                    throws MessageProcessingException,
                                           MessageContentException
        Help method to populate all base fields of a RequestAbstractType
        Parameters:
        destination - A URI reference indicating the address to which this request has been sent. This is useful to prevent malicious forwarding of requests to unintended recipients, a protection that is required by some protocol bindings. If it is present, the actual recipient MUST check that the URI reference identifies the location at which the message was received. If it does not, the request MUST be discarded. Some protocol bindings may require the use of this attribute (see [SAMLBind]). (Optional, use null of it shouldn't be set)
        consent - Indicates whether or not (and under what conditions) consent has been obtained from a principal in the sending of this request. See Section 8.4 for some URI references that MAY be used as the value. of the Consent attribute and their associated descriptions. If no Consent value is provided, the identifier urn:oasis:names:tc:SAML:2.0:consent:unspecified (see Section 8.4.1) is in effect. (Optional, use null of it shouldn't be set)
        issuer - Identifies the entity that generated the request message. (For more information on this element, see Section 2.2.5.) (Optional, use null of it shouldn't be set)
        extensions - This extension point contains optional protocol message extension elements that are agreed on between the communicating parties. No extension schema is required in order to make use of this extension point, and even if one is provided, the lax validation setting does not impose a requirement for the extension to be valid. SAML extension elements MUST be namespace-qualified in a non- SAML-defined namespace. (Optional, use null of it shouldn't be set)
        Throws:
        MessageProcessingException - if internal problem occurred generating the message.
        MessageContentException - if invalid message format was detected.

      • populateStatusResponseType

        protected void populateStatusResponseType​(StatusResponseType statusResponseType,
                                          java.lang.String inResponseTo,
                                          java.lang.String destination,
                                          java.lang.String consent,
                                          NameIDType issuer,
                                          ExtensionsType extensions,
                                          ResponseStatusCodes statusCode,
                                          java.lang.String statusMessage,
                                          StatusDetailType statusDetail)
                                   throws MessageProcessingException,
                                          MessageContentException
        Help method to populate the common fields of a StatusResponseType object.
        Parameters:
        inResponseTo - the ID of the request, null if message was unreadable
        issuer - Identifies the entity that generated the response message. (Optional, null for no issuer)
        destination - A URI reference indicating the address to which this response has been sent. This is useful to prevent malicious forwarding of responses to unintended recipients, a protection that is required by some protocol bindings. If it is present, the actual recipient MUST check that the URI reference identifies the location at which the message was received. If it does not, the response MUST be discarded. Some protocol bindings may require the use of this attribute. (Optional, null for no destination)
        consent - Indicates whether or not (and under what conditions) consent has been obtained from a principal in the sending of this response. See Section 8.4 for some URI references that MAY be used as the value of the Consent attribute and their associated descriptions. If no Consent value is provided, the identifier urn:oasis:names:tc:SAML:2.0:consent:unspecified (see Section 8.4.1) is in effect.
        extensions - This extension point contains optional protocol message extension elements that are agreed on between the communicating parties. . No extension schema is required in order to make use of this extension point, and even if one is provided, the lax validation setting does not impose a requirement for the extension to be valid. SAML extension elements MUST be namespace-qualified in a non-SAML-defined namespace. (Optional, null for no extensions)
        statusCode - the failure code to respond to (Required)
        statusMessage - a descriptive message, may be null.
        statusDetail - a container for generic status XML. (Optional)
        Throws:
        MessageContentException - if parameters where invalid.
        MessageProcessingException - if internal problems occurred generated the message.

      • extractAssertionsFromSAMLP

        public java.util.List<org.w3c.dom.Document> extractAssertionsFromSAMLP​(org.w3c.dom.Document samlPResponse)
                                                                throws MessageContentException
        Method that extracts all unencrypted SAMLP assertions from a SAMLPResponse and tries to retain any internal signature of existing assertions.
        Parameters:
        samlPResponse - the SAMLPResponse to extract Assertions from.
        Returns:
        a list containing all assertions found in SAMLP Document.
        Throws:
        MessageContentException